Process Hacker DLL Hijacking

Hi Wen Jia,
You probably heart about the Java issue which affected their installer. (http://www.oracle.com/technetwork/topics/security/alert-cve-2016-0603-2874360.html)
However this issue al Hi Wen Jia,
You probably heart about the Java issue which affected their installer. (http://www.oracle.com/technetwork/topics/security/alert-cve-2016-0603-2874360.html)
However this issue also affects multiple other installers as a security researcher has shown. (https://packetstormsecurity.com/files/author/6137/) It is called DLL Hijacking. I've copied a few general statements from there as they also apply to this issue.

So I had a look whether your installer are also vulnerable. Spoiler: They are. Here are my results.
Note I only tested this on Windows 7 32bit with PH v2.37.

So your setup file processhacker-2.37-setup.exe loads and executes the DLL dwmapi.dll from the application directory. This is a security issue, because a rogue dwmapi.dll could have been planted there. And for software downloaded with a web browser the application directory is typically the user's "Downloads" directory. For more information about this "download folder planting" have a look at these sites:
* https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html
* http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html
* http://seclists.org/fulldisclosure/2012/Aug/134

Here is how you can reproduce this:
1. visit <http://home.arcor.de/skanthak/sentinel.html>, download
<http://home.arcor.de/skanthak/download/SENTINEL.DLL> and store
it as dwmapi.dll in your "Downloads" directory;

2. download processhacker-2.37-setup.exe and store it in your "Downloads" directory;

3. run processhacker-2.37-setup.exe from your "Downloads" directory;

4. notice the message boxes displayed from the DLL placed in step 1.

Additionally the installer also copies itself to the unsafe temp directory of Windows. The path is like this: %temp%is-<5 hex digits>.tmpprocesshacker-2.37-setup.tmp. These DLLs can be overwritten by an unprivileged user between their creation and execution, resulting in an escalation of privilege.

Finally the Process Hacker application itself is also vulnerable. This time an executable file is incorrectly called.

So have a look at http://msdn.microsoft.com/library/cc144175.aspx and http://msdn.microsoft.com/library/cc144101.aspx:

| Note: If any element of the command string contains or might contain
| spaces, it must be enclosed in quotation marks. Otherwise, if the
| element contains a space, it will not parse correctly. For instance,
| "My Program.exe" starts the application properly. If you use
| My Program.exe without quotation marks, then the system attempts to
| launch My with Program.exe as its first command line argument. You
| should always use quotation marks with arguments such as "%1" that are
| expanded to strings by the Shell, because you cannot be certain that
| the string will not contain a space.

When ProcessHacker.exe is calls the peview.exe (e.g. when choosing to inspect a PE file in the Tools menu) the executable is called like this:

C:Program FilesProcess Hacker 2peview.exe


The correct way to call it would be quoted:

"C:Program FilesProcess Hacker 2peview.exe"


So when incorrectly called a (malicious) file named C:Program.exe may be executed.

Steps to reproduce/Prove of concept:
1. Download http://home.arcor.de/skanthak/download/SENTINEL.EXE and copy it to C: and rename it to Program.exe.

2. Start the peview from ProcessHacker.exe.

3. You'll see a message box from C:Program.exe.

You can see this issue in this animated gif: https://mega.nz/#!HFh1waqQ!iY-8gCvthQaquYhKETKw7sG8wunX9OjVNHjLPHUWFkk

I hope you can fix this issues soon.

Best regards,
<privat>

----
Timeline:

* 2016-02-16: send
* 2016-02-27: All issues reproduced with Process Hacker v2.38, report send again via mail and PM send to dmex
* 2016-02-27:
* Received reply from wj32 with request to post this on GitHub or in the forums. I declined and explained why I won't do this.
* Received reply from dmex and send the full mail conversation to him.
* Received reply from wj32:
> We do not make Inno Setup, so report this bug to them. I will fix the peview bug soon.

Inno Setup bug seems to be already reported.
* 2016-03-29: Asked whether this issue is fixed in the new release of PH (v2.39).
* 2016-05-28: Report published

Leave a comment